Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Packet payload not appearing

From: "Grimes, Shawn (NIA/IRP)" <GrimesSh () grc nia nih gov>
Date: Sat, 6 Oct 2001 11:40:59 -0400
I am using MySQL and the release version of SNORT.  And your solution makes
sense if I wasn't seeing the packet payload in the database, but I would at
least see my alerts in ACID.  I would think that Snort would analyze the
packet, see if it matches the rule and then put it in the database.  So even
if the payload doesn't fit, it should still trigger the alert.  And I turned
off the rule to trigger on every tcp packet almost immediately.  Here is the
rule that still exist:

alert tcp $HOME_NET any -> any 80 (msg:"Cmd.exe attempt from us";
content:"cmd.exe";nocase;)



From: Susan Kay Coulter <skc () lanl gov>
Reply-To: skc () lanl gov
Organization: CCN-5
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Packet Payload not appearing for internal
traffic.
Date: Fri, 5 Oct 2001 10:35:50 -0600


You didn't mention which database you're using, or the snaplen ... but, I
found
that there is a very real limitation with mysql - depending on what OS and
how
it's configured.  mysql tables have an upper limit of whatever the max file
size is on your box.  The 'data' table (which contains the payload) usually
fills up first.  This does not always cause snort or mysql to fail ... it
just
stops writing payload to the 'data' table.   This could be your situation -
especially since you set up a rule that would trigger for every TCP packet
that
crossed your sensor.


Message: 4
From: "Grimes, Shawn (NIA/IRP)" <GrimesSh () grc nia nih gov>
To: "'snort-users () lists sourceforge net'"
       <snort-users () lists sourceforge net>
Date: Thu, 4 Oct 2001 17:16:36 -0400 
Subject: [Snort-users] Packet Payload not appearing for internal

traffic...


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It seems my snort is not viewing the packet payload of outboung
traffic. I have two rules setup to monitor for code red/nimba related
activity. One for attacks against us and another for us attacking
other sites (meaning we got infected somewhere). The incoming attacks
rule works great, the outgoing doesn't work at all. here are my
rules: 

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Cmd.exe attempt
against us"; content:"cmd.exe";nocase;)
alert tcp $HOME_NET any -> any 80 (msg:"Cmd.exe attempt from us";
content:"cmd.exe";nocase;)
Again, incoming works great, I can see every box that trys to access
cmd.exe on one of our local computers.
Outgoing however, if I type in a web address say:
http://www.google.com/cmd.exe . I don't get the alert I'm supposed
to. I set up a rule for:
alert tcp any any -> any any (msg: "Flood of traffic";) and I got
several allerts but when I went into the detailed view in Acid of the
alert, the packet payload was empty. Any ideas? 

TIA,
Shawn





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: